Administration Console Online Help

Configure two-way
SSL

Before you begin

Before configuring two-way SSL, ensure that the trust keystore for
the server includes the certificate for the trusted certificate
authority that signed the certificate for the client. See Configure identity and
trust.

By default, WebLogic
Server is configured to use one-way SSL (the server passes its identity
to the client). When the server needs to authenticate the client, you
use two-way SSL. In a two-way SSL connection, the client verifies the
identity of the server and then passes its identity certificate to the
server. The server then validates the identity certificate of the client
before completing the SSL handshake. The server determines whether or
not two-way SSL is used.

To configure two-way
SSL:

If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).

In the left
pane of the Console, expand Environment and
select Servers.

Click the name of the server for which you want to configure
SSL.

Select
Configuration > SSL, and click
Advanced at the bottom of the page.

Set the
Two Way Client Cert
Behavior attribute. The following options are
available:

Client Certs Not Requested: The default
(meaning one-way SSL).

Client Certs Requested But Not
Enforced: Requires a client to present a certificate.
If a certificate is not presented, the SSL connection
continues.

Client Certs Requested And Enforced:
Requires a client to present a certificate. If a certificate is
not presented, the SSL connection is terminated.

Click
Save.

To activate these changes, in the Change Center of the Administration Console, click Activate Changes. Not all changes take effect immediately—some require a restart (see Use the Change Center).

After you finish

All the server SSL attributes are dynamic; when modified via the
Console, they cause the corresponding SSL server or channel SSL server
to restart and use the new settings for new connections. Old connections
will continue to run with the old configuration. To ensure that all the
SSL connections exist according to the specified configuration, you must
reboot WebLogic Server.